diff options
| author | Aaron Conole <aconole@redhat.com> | 2018-02-19 09:55:43 -0500 |
|---|---|---|
| committer | Ansis Atteka <aatteka@ovn.org> | 2018-02-23 10:13:52 -0800 |
| commit | ee1c7296ece67b5b35e528620c645a9c3f2a5c16 (patch) | |
| tree | a7358d8582e4a6a91a49d9f72d63d3f1af0359e8 /selinux | |
| parent | ee29e9feb235136f0055c124d87bd9a68bf8e71a (diff) | |
| download | openvswitch-ee1c7296ece67b5b35e528620c645a9c3f2a5c16.tar.gz | |
selinux: allow dpdkvhostuserclient sockets with newer libvirt
Newer libvirt and openstack versions will now label the unix socket as
an `svirt_tmpfs_t` object. This means that in order to support
deploying with the recommended configuration (using a
dpdkvhostuserclient socket), additional permissions need to be
installed as part of the selinux policy.
An example of some of the AVC violations:
type=AVC msg=audit(1518752799.102:978): avc: denied { write }
for pid=14368 comm="ovs-vswitchd" name="vhost0" dev="dm-0" ino=94
scontext=system_u:system_r:openvswitch_t:s0
tcontext=system_u:object_r:svirt_tmp_t:s0 tclass=sock_file
type=AVC msg=audit(1518816172.126:1318): avc: denied { connectto }
for pid=32717 comm="ovs-vswitchd" path="/tmp/vhost0"
scontext=system_u:system_r:openvswitch_t:s0
tcontext=system_u:system_r:svirt_t:s0:c106,c530
tclass=unix_stream_socket
Signed-off-by: Aaron Conole <aconole@redhat.com>
Acked-by: Ansis Atteka <aatteka@ovn.org>
Diffstat (limited to 'selinux')
| -rw-r--r-- | selinux/openvswitch-custom.te.in | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/selinux/openvswitch-custom.te.in b/selinux/openvswitch-custom.te.in index c1a774f0e..7b9c1c7a0 100644 --- a/selinux/openvswitch-custom.te.in +++ b/selinux/openvswitch-custom.te.in @@ -14,6 +14,7 @@ require { type hugetlbfs_t; type kernel_t; type svirt_image_t; + type svirt_tmpfs_t; type vfio_device_t; @end_dpdk@ @@ -26,6 +27,7 @@ require { class unix_stream_socket { write getattr read connectto connect setopt getopt sendto accept bind recvfrom acceptfrom }; @begin_dpdk@ + class sock_file { read write append getattr open }; class tun_socket { relabelfrom relabelto create }; @end_dpdk@ } @@ -50,5 +52,8 @@ allow openvswitch_t hugetlbfs_t:file { create unlink }; allow openvswitch_t kernel_t:unix_stream_socket { write getattr read connectto connect setopt getopt sendto accept bind recvfrom acceptfrom }; allow openvswitch_t self:tun_socket { relabelfrom relabelto create }; allow openvswitch_t svirt_image_t:file { getattr read write }; +allow openvswitch_t svirt_tmpfs_t:file { read write }; +allow openvswitch_t svirt_tmpfs_t:sock_file { read write append getattr open }; +allow openvswitch_t svirt_t:unix_stream_socket { connectto read write getattr sendto recvfrom setopt }; allow openvswitch_t vfio_device_t:chr_file { read write open ioctl getattr }; @end_dpdk@ |